BitShares Forum
Main => Technical Support => Topic started by: karnal on May 21, 2015, 09:42:40 pm
-
If my understanding is correct, it would be possible to disable the network by DDoSing the 101 (virtual)machines signing blocks.
101 targets is not that much, and most of our delegates are probably running on virtual machines with little resources to spare against attack.
Heck, even a simple SYN flood will probably knock most delegates offline (out of ethical concerns, I have not put this theory to the test).
Has this angle been covered? Have we as community considered the impact of a DDoS on the delegates? Finding all of their IPs to target seems trivial.
Perhaps present delegates can comment on this? Have you seen such attempts against your machines ? Or perhaps increased frequency of (e.g) SSH bruteforce attempts?
-
If my understanding is correct, it would be possible to disable the network by DDoSing the 101 (virtual)machines signing blocks.
101 targets is not that much, and most of our delegates are probably running on virtual machines with little resources to spare against attack.
Heck, even a simple SYN flood will probably knock most delegates offline (out of ethical concerns, I have not put this theory to the test).
Has this angle been covered? Have we as community considered the impact of a DDoS on the delegates? Finding all of their IPs to target seems trivial.
Perhaps present delegates can comment on this? Have you seen such attempts against your machines ? Or perhaps increased frequency of (e.g) SSH bruteforce attempts?
Same as solo miners for Bitcoin like coins, delegates sign the blocks and usually delegates machines don't have open ports.
Can you DDoS Bitcoin like coins solo miners?
-
They will at least have the bitshares port open. And most likely SSH as well.
There are way (, way) more than 101 bitcoin miners. I would guess the specs for a bitcoin miner will tend to be much more buffed too.
-
They will at least have the bitshares port open. And most likely SSH as well.
There are way (, way) more than 101 bitcoin miners. I would guess the specs for a bitcoin miner will tend to be much more buffed too.
Why BitShares port open? They operate as network clients and connect to other nodes only. SSH port, yes, if it's VPS but SSH ports has custom number and usually protected from DDoS by VPS provider.
How you will get delegates IP, if blocks propagated by network and your client usually get it from other clients and not directly from delegate?
-
You might not be able to ddos a single delegate.
You dont know the IP of the delegate (it could use a relay node).
The cost of setting up a backup delegate is insignificant.
Are you still determined to try to ddos a delegate ?
-
They will at least have the bitshares port open. And most likely SSH as well.
There are way (, way) more than 101 bitcoin miners. I would guess the specs for a bitcoin miner will tend to be much more buffed too.
Why BitShares port open? They operate as network clients and connect to other nodes only. SSH port, yes, if it's VPS but SSH ports has custom number and usually protected from DDoS by VPS provider.
How you will get delegates IP, if blocks propagated by network and your client usually get it from other clients and not directly from delegate?
Delegates are clients too, I really haven't thouroughly checked what the client is doing at the network level, but:
BitShares 986 $user 54u IPv4 34849 0t0 TCP xxx:48096->216.146.143.195:1776 (ESTABLISHED)
BitShares 986 $user 66u IPv4 45237 0t0 TCP xxx:54789->185.82.200.187:1776 (ESTABLISHED)
BitShares 986 $user 82u IPv4 76344 0t0 TCP xxx:54849->104.131.185.84:1776 (ESTABLISHED)
BitShares 986 $user 139u IPv4 78859 0t0 TCP xxx:40946->cpc3-cmbg14-2-0-cust343.5-4.cable.virginm.net:1776 (ESTABLISHED)
BitShares 986 $user 143u IPv4 33992 0t0 TCP xxx:60337->185.82.200.106:40027 (ESTABLISHED)
BitShares 986 $user 144u IPv4 31742 0t0 TCP xxx:37187->216.146.143.206:1776 (ESTABLISHED)
BitShares 986 $user 145u IPv4 31743 0t0 TCP xxx:51099->www2.minebitshares.com:1776 (ESTABLISHED)
BitShares 986 $user 146u IPv4 33643 0t0 TCP xxx:47911->vmi34425.contabo.host:35453 (ESTABLISHED)
BitShares 986 $user 147u IPv4 34011 0t0 TCP xxx:53679->42.96.186.61:1776 (ESTABLISHED)
BitShares 986 $user 148u IPv4 34014 0t0 TCP xxx:41496->delegate.dposhub.org:1776 (ESTABLISHED)
BitShares 986 $user 149u IPv4 35335 0t0 TCP xxx:37978->bitsharesnode:1776 (ESTABLISHED)
BitShares 986 $user 150u IPv4 34029 0t0 TCP xxx:54079->colo.hostirian.com:42990 (ESTABLISHED)
BitShares 986 $user 151u IPv4 75755 0t0 TCP xxx:38961->67.4.107.92.dynamic.wline.res.cust.swisscom.ch:1776 (ESTABLISHED)
BitShares 986 $user 152u IPv4 34031 0t0 TCP xxx:53362->li699-30.members.linode.com:1776 (ESTABLISHED)
BitShares 986 $user 153u IPv4 34032 0t0 TCP xxx:45142->178.62.30.153:1776 (ESTABLISHED)
BitShares 986 $user 154u IPv4 34033 0t0 TCP xxx:56829->104.131.134.181:1776 (ESTABLISHED)
BitShares 986 $user 157u IPv4 34034 0t0 TCP xxx:57893->198.199.106.13:1776 (ESTABLISHED)
BitShares 986 $user 158u IPv4 34933 0t0 TCP xxx:52255->95.215.47.201:42315 (ESTABLISHED)
BitShares 986 $user 160u IPv4 36981 0t0 TCP xxx:60288->li424-154.members.linode.com:1776 (ESTABLISHED)
BitShares 986 $user 161u IPv4 35399 0t0 TCP xxx:58871->li430-37.members.linode.com:1877 (ESTABLISHED)
I'm willing to bet the bold ones are delegates. If so, this means clients also connect to them.
If so, then it is trivial to isolate them. They will be the nodes that are constantly running. Simple network analysis spread over a few days will give you the full list.
-
There is a delegate for that! :)
http://digitalgaia.io/backbone.html
Support him to have this further developed.
-
I'm willing to bet the bold ones are delegates. If so, this means clients also connect to them.
If so, then it is trivial to isolate them. They will be the nodes that are constantly running. Simple network analysis spread over a few days will give you the full list.
Maybe these nodes is delegates but anyway it's not common for delegates to have open BitShares port because it's a attack vector. Delegates works for reputation and some profit so if something happened to delegate he will see it and first what he will do - move block production to backup node.
-
There is a delegate for that! :)
http://digitalgaia.io/backbone.html
Support him to have this further developed.
This.
also, you can run the delegate with "--incoming-connections 0" .. than the only connections open to the server are those you defined on your own .. e.g. proxy clients to hide the signer machine
-
There is a delegate for that! :)
http://digitalgaia.io/backbone.html
Support him to have this further developed.
This.
also, you can run the delegate with "--incoming-connections 0" .. than the only connections open to the server are those you defined on your own .. e.g. proxy clients to hide the signer machine
I can't quite visualize this, having not dabbled with running a delegate yet. Would you clarify these ?
- I thought the delegate *was* the signing machine?
- What exactly does --incoming-connections 0 (besides the obvious)?
- How would the setup you describe (proxy clients, signer machine) work ?
- And if incoming-connections=0, how do "proxy clients connect to the server" ?
-
There is a delegate for that! :)
http://digitalgaia.io/backbone.html
Support him to have this further developed.
Looks good, will vote.
-
- I thought the delegate *was* the signing machine?
- What exactly does --incoming-connections 0 (besides the obvious)?
- How would the setup you describe (proxy clients, signer machine) work ?
- And if incoming-connections=0, how do "proxy clients connect to the server" ?
the delegate is the signing machine .. it can be hidde behind a proxy full node that does hand over the signed block to the rest of the P2P network ..
the delegate is not connected to the P2P network directly ..
in essence it is the same as
http://digitalgaia.io/backbone.html
-
I'm glad there wicked smart people discussing this.... :)
-
- I thought the delegate *was* the signing machine?
- What exactly does --incoming-connections 0 (besides the obvious)?
- How would the setup you describe (proxy clients, signer machine) work ?
- And if incoming-connections=0, how do "proxy clients connect to the server" ?
the delegate is the signing machine .. it can be hidde behind a proxy full node that does hand over the signed block to the rest of the P2P network ..
the delegate is not connected to the P2P network directly ..
in essence it is the same as
http://digitalgaia.io/backbone.html
How would you go about setting this up? By having the delegate connect only to certain nodes in the config file?
-
- I thought the delegate *was* the signing machine?
- What exactly does --incoming-connections 0 (besides the obvious)?
- How would the setup you describe (proxy clients, signer machine) work ?
- And if incoming-connections=0, how do "proxy clients connect to the server" ?
the delegate is the signing machine .. it can be hidde behind a proxy full node that does hand over the signed block to the rest of the P2P network ..
the delegate is not connected to the P2P network directly ..
in essence it is the same as
http://digitalgaia.io/backbone.html
How would you go about setting this up? By having the delegate connect only to certain nodes in the config file?
exactly
-
Cool. Then with proper care it seems possible to insulate delegates from becoming bullseyes.
That's what I wanted to know. I have voted for the digitalgaia delegate now, ime this is essential to preserve the integrity of the network longterm.